release(v4.9.0): relay-side encrypted blob primitive + SDK Profile namespace

Ships the Prism FR (encrypted-profile-storage-v4.9.md) as a generic
relay-side encrypted blob primitive: deterministically-located,
AEAD-sealed blobs keyed by a 32-byte slotId derived client-side via
HKDF from the user's master key. Unlocks credential-only bootstrap
of new devices into existing E2EE state — no QR, no physical access.

Server: BlobStore interface + Memory/Sqlite/Postgres impls,
createBlobRoutes for GET/PUT/DELETE /v1/blob/:slotId with TOFU pubkey
auth and If-Match CAS (409/412 semantics). Mounted on the same Hono
app as the inbox; SHADE_BLOB_PG_URL / SHADE_BLOB_DB_PATH /
SHADE_DISABLE_BLOB env-var plumbing in standalone.

SDK: createProfileNamespace high-level wrapper (HKDF derivation,
random-nonce AEAD seal, slotId-bound AAD) + low-level BlobClient.
Cross-platform test vectors in test-vectors/blob-storage.json.

New errors: ConflictError (409), PreconditionFailedError (412).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

packages/shade-crypto-web/src/ed25519-derive.ts

@@ -0,0 +1,18 @@
+import { ed25519 } from '@noble/curves/ed25519.js';
+
+/**
+ * Deterministically derive an Ed25519 public key from a 32-byte seed.
+ *
+ * In the @noble/curves convention the "private key" *is* the seed —
+ * `sign(seed, msg)` works directly, and `getPublicKey(seed)` recovers
+ * the matching public key. V4.9's encrypted-blob primitive uses this
+ * to mint a per-slot signing keypair from an HKDF output rooted at the
+ * user's master key, so the same credentials always reproduce the same
+ * keypair.
+ */
+export function ed25519PublicKeyFromSeed(seed: Uint8Array): Uint8Array {
+  if (seed.length !== 32) {
+    throw new Error(`Ed25519 seed must be 32 bytes, got ${seed.length}`);
+  }
+  return ed25519.getPublicKey(seed);
+}